Considerations when building queries for DLP products
Term weight is normally reduced the longer the document is. This may be counter intuitive to the need for scanning a document for compliance issues such as PCI, as a document with reoccurring terms may lead to a higher risk, than a document with fewer items. So when searching an inverse index, it is important not to reduce the scale either by adding one plus the log, or using the cosine on a vector based search.
However by doing this, the terms in the query becomes more important. A term that has a high occurrence in both a set containing sensitive documents, and its corresponding set of non sensitive documents will lead to a high occurrence of false positives. Because of this, an effectiveness of terms must be calculated and stored over time. A term with low effectiveness should either be eliminated from the query, or should have a lower weight.
Several solutions may be available here, one is to combine highly effective terms with less effective terms in a larger pattern. The question though, is if the distribution of terms in sensitive documents take on a Gaussian property with a bell curve, or if there are power law distributions in terms. To this question, I don’t know the answer yet, but I have noticed in practice that the distribution of documents follows power law distributions. This can be used in a query strategy, where an initial query with a high false negative rate is used initially to ferret out areas with a high probability of containing sensitive documents. When this approach is used, a broader query can be used in this space.
When considering a space, it can be a geographical space such as a site, it can be a logical site such as a file server supporting the HR department, or it can be a space in time. Most likely it is a combination of the above, and may even have more vectors such as user identity, frequency etc. So far, this is a trial and error based approach. To improve on this approach, large data sets would need to be collected and analyzed.
How to secure sensitive information, data loss prevention, for sensitive data in corporations and other organizations, (ILP,CLP,DLP). It covers personal identifiable information, personal health information, credit card information, PII, PCI, PHI etc, and how to protect it. All opinions are mine, and not of my employer or any other organization. For terms of use, see first posting.
About Me
Blog Archive
-
▼
2009
(49)
-
▼
January
(21)
- NIST and DLP vendor opportunitiesNIST has publishe...
- Regular search does not consider the fact that sen...
- Content protection should be tied into access cert...
- Not long after the public notification of the brea...
- President Obama embarks on wide reaching changes i...
- Researchers have found a relationship between word...
- According to Network World, Forrester research pre...
- Interesting link to coverage of data breaches in 2...
- According to an article in Washington Post, Heartl...
- Two areas for concern for 09 will be sensitive inf...
- Using models from nature to identify sensitive inf...
- Social Networking, DLP, and Identity Management op...
- New emphasis on SEC's role in policing the financi...
- Information protection, DLP, Identity Management, ...
- NIST has published a draft guide for protecting PI...
- While looking at new players in the DLP space, I ...
- Using the information already provided by the user...
- Banks falling behind in protecting customer financ...
- California Senator Dianne Feinstein (D-Calif.) is ...
- Plenty newsworthy items this week in the DLP space...
- Considerations when building queries for DLP produ...
-
▼
January
(21)
No comments:
Post a Comment